Both 40D LEDs Found and Multiple Blinks

ASalina

« on: 02 / June / 2008, 15:39:17 »

Advertisements

Ok, I've found the location of both the "Direct Print" LED and the "Drive Activity" LED. I've also gotten them to blink multiple times (confirming that data can be blinked out through them).

~~The Drive Activity LED (red) is at 0xC0220038~~
~~and the Direct Print LED (blue) is at 0xC022003A~~

EDIT: owerlord was right!

Drive Activity LED is at 0xC02200E0
and Direct Print LED is at 0xC02200E8

0x46 turns them on and I can't yet say for sure what value turns them off because I'm still just replacing the value that was found there. I guess the first real use of this program is to blink out what was found at those addresses.

Where is that code for blinking out hex digits?:-)

« Last Edit: 02 / June / 2008, 15:49:31 by ASalina »

Logged

owerlord

115

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #1 on: 02 / June / 2008, 15:46:42 »

hate to say it again, but I think its:
0xC02200E0
0xC02200E8

0x38 blinks means: 0x38*sizeof(int) = 0xE0

NEW: I used a very simple transfer protocol - just 0 - short delay, 1 long delay, and begin of string very long delay, so it looks like:
led on, very long delay, led off, bit, led on, bit, led off, bit, led on ....
In my program is like: long is 2*short, and very long is 4*short.

« Last Edit: 02 / June / 2008, 15:49:47 by owerlord »

Logged

ASalina

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #2 on: 02 / June / 2008, 15:54:28 »

Quote from: owerlord on 02 / June / 2008, 15:46:42

hate to say it again, but I think its:
0xC02200E0
0xC02200E8

0x38 blinks means: 0x38*sizeof(int) = 0xE0

Yes. See my edit. :-)

Quote

NEW: I used a very simple transfer protocol - just 0 - short delay, 1 long delay, and begin of string very long delay, so it looks like:
led on, very long delay, led off, bit, led on, bit, led off, bit, led on ....
In my program is like: long is 2*short, and very long is 4*short.

Kind of like Morse Code...

Logged

ASalina

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #3 on: 02 / June / 2008, 16:06:48 »

Does anyone know how to write to the CF card yet, like udumper does?

That would be so much easier than blinking.

Logged

owerlord

115

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #4 on: 02 / June / 2008, 16:10:30 »

I got a good news for you. there is a usable CF-code in the bootloader. You can dump that by led, and then start to analyse it and find how to write to CF.

Code: [Select]

#define LEDSPEED (1<<ledspeed)
#define LEDWSPEED (1<<ledwspeed)

#define LED ((int*) 0xC02200A0)
#define LEDBLUE ((int*) 0xC0220000)
#define LEDLONG delay(LEDSPEED<<1)
#define LEDSHORT delay(LEDSPEED)
#define LEDWLONG delay(LEDWSPEED)
#define LEDON  *LED = 0x46
#define LEDOFF *LED = 0x44
#define LEDBIT(x) if (c & x) LEDLONG; else LEDSHORT;

int send_string(char* str)
{
 char c;
 LEDON;
 LEDWLONG;
 for (; *str; str++)
 { c=*str;
  LEDOFF;
  LEDBIT(0x80);
  LEDON;
  LEDBIT(0x40);
  LEDOFF;
  LEDBIT(0x20);
  LEDON;
  LEDBIT(0x10);
  LEDOFF;
  LEDBIT(0x08);
  LEDON;
  LEDBIT(0x04);
  LEDOFF;
  LEDBIT(0x02);
  LEDON;
  LEDBIT(0x01);
 }
  LEDOFF;
  LEDSHORT;
}

char *base64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

int send_base64(char* start,int len)
{char base[78];
 base[76] = '\n';
 base[77] = 0;
 char* end = start + len;
 unsigned int mask;
 unsigned int b, i=0;
 for (; start < end; start+=3)
 {
   b = ((*start)<<16)+((*(start+1))<<8)+(*(start+2));
   base[i+3] = base64[b & 0x3F];
   b = b>>6;
   base[i+2] = base64[b & 0x3F];
   b = b>>6;
   base[i+1] = base64[b & 0x3F];
   b = b>>6;
   base[i  ] = base64[b & 0x3F];
   i += 4;
   if (i >= 76)
   { send_string(base);
     i=0;
   }
 }
 if (i) {
  for (; i<76; i++) base[i]='=';
  send_string(base);
 }
}

int delay(int i)
{
  while (i--)
  {
    asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
    asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
    asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
    asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
  }
}

the ledspeed and ledwspeed are to set (expotential).

« Last Edit: 02 / June / 2008, 16:14:35 by owerlord »

Logged

ASalina

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #5 on: 02 / June / 2008, 23:42:07 »

A little interesting thing. The original values stored in the LED ports is 0x48, not 0x44. So 0x48 is the "off" value.

I blinked this out using:

blue_val = *(BLUE_LED);

(0x00000F & blue_val)

and

(0x00000F & (blue_val >> 4))

as the test in a for() loop. Same thing with the red LED.

I think I have an old mouse with a photodiode in it, so I'm going to try blinking out some data directly to the computer.

How much data (from the firmware section) would be needed to reverse the encryption of the payload in the firmware update?

Or can I try to get the hash tables from memory? Any suggestions?

Logged

mx3

372

Re: Both 40D LEDs Found and Multiple Blinks

« Reply #6 on: 02 / June / 2008, 23:51:08 »

Quote from: ASalina on 02 / June / 2008, 23:42:07

How much data (from the firmware section) would be needed to reverse the encryption of the payload in the firmware update?

flasher has decryption routine.
i don't think you need ROM-dump for this

Logged

skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler